@convex-dev/better-auth 0.6.0

package/src/component/schema.ts

@@ -0,0 +1,74 @@
+import { defineSchema, defineTable } from "convex/server";
+import { v } from "convex/values";
+
+const schema = defineSchema({
+  user: defineTable({
+    name: v.string(),
+    email: v.string(),
+    emailVerified: v.boolean(),
+    image: v.optional(v.string()),
+    twoFactorEnabled: v.optional(v.boolean()),
+    userId: v.string(),
+    createdAt: v.number(),
+    updatedAt: v.number(),
+  })
+    .index("email", ["email"])
+    .index("userId", ["userId"]),
+
+  session: defineTable({
+    expiresAt: v.number(),
+    token: v.string(),
+    createdAt: v.number(),
+    updatedAt: v.number(),
+    ipAddress: v.optional(v.string()),
+    userAgent: v.optional(v.string()),
+    userId: v.string(),
+  })
+    .index("token", ["token"])
+    .index("userId", ["userId"]),
+
+  account: defineTable({
+    accountId: v.string(),
+    providerId: v.string(),
+    userId: v.string(),
+    accessToken: v.optional(v.string()),
+    refreshToken: v.optional(v.string()),
+    idToken: v.optional(v.string()),
+    accessTokenExpiresAt: v.optional(v.number()),
+    refreshTokenExpiresAt: v.optional(v.number()),
+    scope: v.optional(v.string()),
+    password: v.optional(v.string()),
+    createdAt: v.number(),
+    updatedAt: v.number(),
+  })
+    .index("userId", ["userId"])
+    .index("accountId", ["accountId"])
+    .index("providerId_accountId", ["providerId", "accountId"])
+    .index("userId_providerId", ["userId", "providerId"]),
+
+  twoFactor: defineTable({
+    secret: v.string(),
+    backupCodes: v.string(),
+    userId: v.string(),
+  }).index("userId", ["userId"]),
+
+  verification: defineTable({
+    identifier: v.string(),
+    value: v.string(),
+    expiresAt: v.number(),
+    createdAt: v.optional(v.number()),
+    updatedAt: v.optional(v.number()),
+  })
+    .index("identifier", ["identifier"])
+    .index("expiresAt", ["expiresAt"]),
+
+  jwks: defineTable({
+    publicKey: v.string(),
+    privateKey: v.string(),
+    createdAt: v.number(),
+    // no longer used
+    id: v.optional(v.string()),
+  }),
+});
+
+export default schema;

package/src/component/util.ts

@@ -0,0 +1,4 @@
+import { typedV } from "convex-helpers/validators";
+import schema from "./schema";
+
+export const vv = typedV(schema);

package/src/nextjs/index.ts

@@ -0,0 +1,30 @@
+import { betterAuth } from "better-auth";
+import { createCookieGetter } from "better-auth/cookies";
+import { GenericActionCtx } from "convex/server";
+
+export const getToken = async (
+  createAuth: (ctx: GenericActionCtx<any>) => ReturnType<typeof betterAuth>
+) => {
+  const { cookies } = await import("next/headers");
+  const cookieStore = await cookies();
+  const auth = createAuth({} as any);
+  const createCookie = createCookieGetter(auth.options);
+  const cookie = createCookie("convex_jwt");
+  const token = cookieStore.get(cookie.name);
+  return typeof token === "string" ? token : token?.value;
+};
+
+const handler = (request: Request, opts?: { convexSiteUrl?: string }) => {
+  const requestUrl = new URL(request.url);
+  const convexSiteUrl =
+    opts?.convexSiteUrl ?? process.env.NEXT_PUBLIC_CONVEX_SITE_URL;
+  const nextUrl = `${convexSiteUrl}${requestUrl.pathname}${requestUrl.search}`;
+  const newRequest = new Request(nextUrl, request);
+  newRequest.headers.set("accept-encoding", "application/json");
+  return fetch(newRequest, { method: request.method, redirect: "manual" });
+};
+
+export const nextJsHandler = (opts?: { convexSiteUrl?: string }) => ({
+  GET: (request: Request) => handler(request, opts),
+  POST: (request: Request) => handler(request, opts),
+});

package/src/plugins/convex/client.ts

@@ -0,0 +1,9 @@
+import { BetterAuthClientPlugin } from "better-auth/client";
+import { convex } from ".";
+
+export const convexClient = () => {
+  return {
+    id: "convex",
+    $InferServerPlugin: {} as ReturnType<typeof convex>,
+  } satisfies BetterAuthClientPlugin;
+};

package/src/plugins/convex/index.ts

@@ -0,0 +1,296 @@
+import {
+  createAuthMiddleware,
+  getSession,
+  sessionMiddleware,
+} from "better-auth/api";
+import {
+  BetterAuthPlugin,
+  createAuthEndpoint,
+  customSession as customSessionPlugin,
+  jwt as jwtPlugin,
+  bearer as bearerPlugin,
+  oidcProvider as oidcProviderPlugin,
+} from "better-auth/plugins";
+import { omit } from "convex-helpers";
+import { z } from "zod";
+
+const JWT_COOKIE_NAME = "convex_jwt";
+
+export const convex = (opts: { jwtExpirationSeconds?: number } = {}) => {
+  const { jwtExpirationSeconds = 60 * 15 } = opts;
+  const customSession = customSessionPlugin(async ({ user, session }) => {
+    const { userId, ...userData } = omit(user, ["id"]) as typeof user & {
+      userId: string;
+    };
+    return {
+      user: { ...userData, id: userId },
+      session: {
+        ...session,
+        userId,
+      },
+    };
+  });
+  const oidcProvider = oidcProviderPlugin({
+    loginPage: "/not-used",
+    metadata: {
+      issuer: `${process.env.CONVEX_SITE_URL}`,
+      jwks_uri: `${process.env.CONVEX_SITE_URL}/api/auth/convex/jwks`,
+    },
+  });
+  const jwt = jwtPlugin({
+    jwt: {
+      issuer: `${process.env.CONVEX_SITE_URL}`,
+      audience: "convex",
+      expirationTime: `${jwtExpirationSeconds}s`,
+      getSubject: (session) => {
+        // Return the userId from the app user table
+        return session.user.userId;
+      },
+      // eslint-disable-next-line @typescript-eslint/no-unused-vars
+      definePayload: ({ user: { id, userId, ...user }, session }) => ({
+        ...user,
+        sessionId: session.id,
+      }),
+    },
+  });
+  // Bearer plugin converts the session token to a cookie
+  // for cross domain social login after code verification, and is required for
+  // the headers() helper to work.
+  const bearer = bearerPlugin();
+  const schema = {
+    user: {
+      fields: { userId: { type: "string", required: false, input: false } },
+    } as const,
+    ...jwt.schema,
+  };
+  return {
+    id: "convex",
+    hooks: {
+      before: [...bearer.hooks.before],
+      after: [
+        ...oidcProvider.hooks.after,
+        {
+          matcher: (ctx) => {
+            return ctx.path?.startsWith("/sign-out");
+          },
+          handler: createAuthMiddleware(async (ctx) => {
+            const jwtCookie = ctx.context.createAuthCookie(JWT_COOKIE_NAME, {
+              maxAge: 0,
+            });
+            ctx.setCookie(jwtCookie.name, "", jwtCookie.attributes);
+          }),
+        },
+      ],
+    },
+    endpoints: {
+      getSession: createAuthEndpoint(
+        "/get-session",
+        {
+          method: "GET",
+          query: z.optional(
+            z.object({
+              // If cookie cache is enabled, it will disable the cache
+              // and fetch the session from the database
+              disableCookieCache: z
+                .boolean({
+                  description:
+                    "Disable cookie cache and fetch session from database",
+                })
+                .or(z.string().transform((v) => v === "true"))
+                .optional(),
+              disableRefresh: z
+                .boolean({
+                  description:
+                    "Disable session refresh. Useful for checking session status, without updating the session",
+                })
+                .optional(),
+            })
+          ),
+          metadata: {
+            CUSTOM_SESSION: true,
+            openapi: {
+              description: "Get custom session data",
+              responses: {
+                "200": {
+                  description: "Success",
+                  content: {
+                    "application/json": {
+                      schema: {
+                        type: "array",
+                        nullable: true,
+                        items: {
+                          $ref: "#/components/schemas/Session",
+                        },
+                      },
+                    },
+                  },
+                },
+              },
+            },
+          },
+          requireHeaders: true,
+        },
+        async (ctx) => {
+          const response = await customSession.endpoints.getSession({
+            ...ctx,
+            returnHeaders: false,
+          });
+          return response;
+        }
+      ) as unknown as ReturnType<typeof getSession>,
+      getOpenIdConfig: createAuthEndpoint(
+        "/convex/.well-known/openid-configuration",
+        {
+          method: "GET",
+          metadata: {
+            isAction: false,
+          },
+        },
+        async (ctx) => {
+          const response = await oidcProvider.endpoints.getOpenIdConfig({
+            ...ctx,
+            returnHeaders: false,
+          });
+          return response;
+        }
+      ),
+      getJwks: createAuthEndpoint(
+        "/convex/jwks",
+        {
+          method: "GET",
+          metadata: {
+            openapi: {
+              description: "Get the JSON Web Key Set",
+              responses: {
+                "200": {
+                  description: "JSON Web Key Set retrieved successfully",
+                  content: {
+                    "application/json": {
+                      schema: {
+                        type: "object",
+                        properties: {
+                          keys: {
+                            type: "array",
+                            description: "Array of public JSON Web Keys",
+                            items: {
+                              type: "object",
+                              properties: {
+                                kid: {
+                                  type: "string",
+                                  description:
+                                    "Key ID uniquely identifying the key, corresponds to the 'id' from the stored Jwk",
+                                },
+                                kty: {
+                                  type: "string",
+                                  description:
+                                    "Key type (e.g., 'RSA', 'EC', 'OKP')",
+                                },
+                                alg: {
+                                  type: "string",
+                                  description:
+                                    "Algorithm intended for use with the key (e.g., 'EdDSA', 'RS256')",
+                                },
+                                use: {
+                                  type: "string",
+                                  description:
+                                    "Intended use of the public key (e.g., 'sig' for signature)",
+                                  enum: ["sig"],
+                                  nullable: true,
+                                },
+                                n: {
+                                  type: "string",
+                                  description:
+                                    "Modulus for RSA keys (base64url-encoded)",
+                                  nullable: true,
+                                },
+                                e: {
+                                  type: "string",
+                                  description:
+                                    "Exponent for RSA keys (base64url-encoded)",
+                                  nullable: true,
+                                },
+                                crv: {
+                                  type: "string",
+                                  description:
+                                    "Curve name for elliptic curve keys (e.g., 'Ed25519', 'P-256')",
+                                  nullable: true,
+                                },
+                                x: {
+                                  type: "string",
+                                  description:
+                                    "X coordinate for elliptic curve keys (base64url-encoded)",
+                                  nullable: true,
+                                },
+                                y: {
+                                  type: "string",
+                                  description:
+                                    "Y coordinate for elliptic curve keys (base64url-encoded)",
+                                  nullable: true,
+                                },
+                              },
+                              required: ["kid", "kty", "alg"],
+                            },
+                          },
+                        },
+                        required: ["keys"],
+                      },
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+        async (ctx) => {
+          const response = await jwt.endpoints.getJwks({
+            ...ctx,
+            returnHeaders: false,
+          });
+          return response;
+        }
+      ),
+      getToken: createAuthEndpoint(
+        "/convex/token",
+        {
+          method: "GET",
+          requireHeaders: true,
+          use: [sessionMiddleware],
+          metadata: {
+            openapi: {
+              description: "Get a JWT token",
+              responses: {
+                200: {
+                  description: "Success",
+                  content: {
+                    "application/json": {
+                      schema: {
+                        type: "object",
+                        properties: {
+                          token: {
+                            type: "string",
+                          },
+                        },
+                      },
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+        async (ctx) => {
+          const response = await jwt.endpoints.getToken({
+            ...ctx,
+            returnHeaders: false,
+          });
+          const jwtCookie = ctx.context.createAuthCookie(JWT_COOKIE_NAME, {
+            maxAge: jwtExpirationSeconds,
+          });
+          ctx.setCookie(jwtCookie.name, response.token, jwtCookie.attributes);
+          return response;
+        }
+      ),
+    },
+    schema,
+  } satisfies BetterAuthPlugin;
+};

package/src/plugins/cross-domain/client.ts

@@ -0,0 +1,209 @@
+import type { BetterAuthClientPlugin, Store } from "better-auth";
+import { BetterFetchOption } from "@better-fetch/fetch";
+import { crossDomain } from ".";
+
+interface CookieAttributes {
+  value: string;
+  expires?: Date;
+  "max-age"?: number;
+  domain?: string;
+  path?: string;
+  secure?: boolean;
+  httpOnly?: boolean;
+  sameSite?: "Strict" | "Lax" | "None";
+}
+
+export function parseSetCookieHeader(
+  header: string
+): Map<string, CookieAttributes> {
+  const cookieMap = new Map<string, CookieAttributes>();
+  const cookies = header.split(", ");
+  cookies.forEach((cookie) => {
+    const [nameValue, ...attributes] = cookie.split("; ");
+    const [name, value] = nameValue.split("=");
+
+    const cookieObj: CookieAttributes = { value };
+
+    attributes.forEach((attr) => {
+      const [attrName, attrValue] = attr.split("=");
+      cookieObj[attrName.toLowerCase() as "value"] = attrValue;
+    });
+
+    cookieMap.set(name, cookieObj);
+  });
+
+  return cookieMap;
+}
+
+interface StoredCookie {
+  value: string;
+  expires: Date | null;
+}
+
+export function getSetCookie(header: string, prevCookie?: string) {
+  const parsed = parseSetCookieHeader(header);
+  let toSetCookie: Record<string, StoredCookie> = {};
+  parsed.forEach((cookie, key) => {
+    const expiresAt = cookie["expires"];
+    const maxAge = cookie["max-age"];
+    const expires = expiresAt
+      ? new Date(String(expiresAt))
+      : maxAge
+        ? new Date(Date.now() + Number(maxAge) * 1000)
+        : null;
+    toSetCookie[key] = {
+      value: cookie["value"],
+      expires,
+    };
+  });
+  if (prevCookie) {
+    try {
+      const prevCookieParsed = JSON.parse(prevCookie);
+      toSetCookie = {
+        ...prevCookieParsed,
+        ...toSetCookie,
+      };
+    } catch {
+      //
+    }
+  }
+  return JSON.stringify(toSetCookie);
+}
+
+export function getCookie(cookie: string) {
+  let parsed = {} as Record<string, StoredCookie>;
+  try {
+    parsed = JSON.parse(cookie) as Record<string, StoredCookie>;
+  } catch {
+    // noop
+  }
+  const toSend = Object.entries(parsed).reduce((acc, [key, value]) => {
+    if (value.expires && value.expires < new Date()) {
+      return acc;
+    }
+    return `${acc}; ${key}=${value.value}`;
+  }, "");
+  return toSend;
+}
+
+export const crossDomainClient = (
+  opts: {
+    storage?: {
+      setItem: (key: string, value: string) => any;
+      getItem: (key: string) => string | null;
+    };
+    storagePrefix?: string;
+    disableCache?: boolean;
+  } = {}
+) => {
+  let store: Store | null = null;
+  const cookieName = `${opts?.storagePrefix || "better-auth"}_cookie`;
+  const localCacheName = `${opts?.storagePrefix || "better-auth"}_session_data`;
+  const storage =
+    opts?.storage || (typeof window !== "undefined" ? localStorage : undefined);
+
+  return {
+    id: "cross-domain",
+    $InferServerPlugin: {} as ReturnType<typeof crossDomain>,
+    getActions(_, $store) {
+      store = $store;
+      return {
+        /**
+         * Get the stored cookie.
+         *
+         * You can use this to get the cookie stored in the device and use it in your fetch
+         * requests.
+         *
+         * @example
+         * ```ts
+         * const cookie = client.getCookie();
+         * fetch("https://api.example.com", {
+         * 	headers: {
+         * 		cookie,
+         * 	},
+         * });
+         */
+        getCookie: () => {
+          const cookie = storage?.getItem(cookieName);
+          return getCookie(cookie || "{}");
+        },
+        /**
+         * Notify the session signal.
+         *
+         * This is used to trigger an update in useSession, generally when a new session
+         * token is set.
+         *
+         * @example
+         * ```ts
+         * client.notifySessionSignal();
+         * ```
+         */
+        updateSession: () => {
+          $store.notify("$sessionSignal");
+        },
+      };
+    },
+    fetchPlugins: [
+      {
+        id: "convex",
+        name: "Convex",
+        hooks: {
+          async onSuccess(context) {
+            if (!storage) {
+              return;
+            }
+            const setCookie = context.response.headers.get(
+              "set-better-auth-cookie"
+            );
+            if (setCookie) {
+              const prevCookie = await storage.getItem(cookieName);
+              const toSetCookie = getSetCookie(
+                setCookie || "",
+                prevCookie ?? undefined
+              );
+              await storage.setItem(cookieName, toSetCookie);
+              store?.notify("$sessionSignal");
+            }
+
+            if (
+              context.request.url.toString().includes("/get-session") &&
+              !opts?.disableCache
+            ) {
+              const data = context.data;
+              storage.setItem(localCacheName, JSON.stringify(data));
+            }
+          },
+        },
+        async init(url, options) {
+          if (!storage) {
+            return {
+              url,
+              options: options as BetterFetchOption,
+            };
+          }
+          options = options || {};
+          const storedCookie = storage.getItem(cookieName);
+          const cookie = getCookie(storedCookie || "{}");
+          options.credentials = "omit";
+          options.headers = {
+            ...options.headers,
+            "Better-Auth-Cookie": cookie,
+          };
+          if (url.includes("/sign-out")) {
+            await storage.setItem(cookieName, "{}");
+            store?.atoms.session?.set({
+              data: null,
+              error: null,
+              isPending: false,
+            });
+            storage.setItem(localCacheName, "{}");
+          }
+          return {
+            url,
+            options: options as BetterFetchOption,
+          };
+        },
+      },
+    ],
+  } satisfies BetterAuthClientPlugin;
+};